Topic: Externally accessible reverse SSH tunnel

[Cylindric]

Greetings all.

In order to support some web-development that I'm doing while roaming about a lot, I want to be able to forward certain traffic to my SME box to my laptop, wherever I happen to be.  As the laptop is often behind a firewall to which I have no access to setup port-forwarding, I can't just use Dynamic DNS on it.

I figured I can use a reverse SSH tunnel, so I connect from my laptop to my SME using SSH, which then sets up a reverse tunnel to my laptop.

My problem is that I can get as far as the reverse tunnel, because from the server I can go http://localhost:8886 and see the website running on my laptop on :80, but I cannot access http://my.smeserver.address.com:8886 to do the same.

Initiating tunelling using Putty on Windows, R8886 to localhost:80
Laptop is listening on :80
SME is set to port-forward 8886 to localhost:8886

From the server, I can links http://localhost:8886 and see the laptop's site
From a remote location I can't go to http://my.smseserver.address.com:8886

Oh, and I've setup /etc/ssh/ssh_config as follows:
Host *
 GatewayPorts yes
 GSSAPIAuthentication yes
 ForwardX11Trusted yes

[CharlieBrady]

My problem is that I can get as far as the reverse tunnel, because from the server I can go http://localhost:8886 and see the website running on my laptop on :80, but I cannot access http://my.smeserver.address.com:8886 to do the same.

You can, by editing /etc/hosts, or the windows equivalent if you are using the inferior OS.

[Cylindric]

Irrelevent digs at operating systems aside, that's not the problem.

I can reach my SME server fine.

http://my.smeserver.address.com/server-manager works with no problems.  It's getting SME to tunnel requests to it's local port 8886 through the established tunnel that's the problem.

[CharlieBrady]

It's getting SME to tunnel requests to it's local port 8886 through the established tunnel that's the problem.

Use ProxyPass.

[Cylindric]

Could you elaborate on that a little?  Will that allow me to establish a remote SSH tunnel back to my laptop so that other people can connect to my server yet reach my laptop?

What is it in SME that's stopping the reverse proxy tunnel established using more traditional means from working?

[Cylindric]

In case I wasn't explaining things very well, here's a diagram of what I am trying to achieve:

[electroman00]

In case I wasn't explaining things very well, here's a diagram of what I am trying to achieve:

You explained it right, you didn't understand Charlies response right.

You have two choices, well three really, setup a proxy pass or add an entry to SME's host file.
The third we won't get involved in at this point.

Code: [Select]

http://localhost:8886
That works because there is a default host entry for localhost.

You just tagged the port to it.

Code: [Select]

http://my.smeserver.address.com:8886
Where is DNS going to find my.smeserver.address.com, sure can't pull it out of thin air.

I would venture a guess that the forward from client to dev server will not be using the tunnel, as much as you think it is.

As mush as you think that your setting up a secure network, you've actually created a network security vulnerability.

AKA foobar Network Config.

Just because something works or (you think it works)...... doesn't mean it's not a network security vulnerability.

Sorry....reality is reality no matter how you butter it up.

However I won't try to deter you from the learning experience or did I already??

Nice Visio drawing, be nice if everyone did that when they post their issues here.

A+ for the drawing, F for network setup.

One out of two ain't bad.

However you only get an @ a boy for straight A's.

hth

[Cylindric]

Hmm, that's not a very constructive reply, but I'll try and respond.

Re: Security.  This is not designed to create some sort of super secure system. What I need is a fixed end-point at my static domain terminating at my SME server to be routed to a non-fixed end-point on my laptop.  The laptop could be anywhere.
"As much as you think you're setting up a secure network" Did I say that? I don't think I did.  I know this is circumventing some security aspects - that's the whole point - I want outsiders to have HTTP access to the laptop.

Re: DNS.  You seem to have misunderstood my networking completely.  It's no mystery how the client can find my.smeserver.address.com, (in case you missed it,  that's an example domain - mine is not really that) I have a domain registered.  That's a little outside the scope of this issue. The client can find it. The laptop can find it.  The server can find it.  The problem would be the same using nothing but IP addresses.

I'll take my query to the SSH community I think, where I'll hopefully get responses less lofty and condescending.

[Knuddi]

Wouldn't a VPN connection from your dev. laptop to the SME server and then a port forward on the SME server from 8886 to VPNIP:80 give you exactly what you are looking for?

Seems to be an easy solution

[electroman00]

No

[Knuddi]

Assuming that the "NO" was for an earlier comment then using OpenVPN in bridge mode would provide the Dev. laptop with an IP address in the LAN range and the std. port forwarding module in server-manager would be able to make a valid port forwarding rule.

[Cylindric]

Assuming that the "NO" was for an earlier comment then using OpenVPN in bridge mode would provide the Dev. laptop with an IP address in the LAN range and the std. port forwarding module in server-manager would be able to make a valid port forwarding rule.

I'd be interested to hear if that "No" was in response to your idea or my response.  It sounds like it should work.

[mmccarn]

Oh, and I've setup /etc/ssh/ssh_config as follows:
Host *
 GatewayPorts yes
 GSSAPIAuthentication yes
 ForwardX11Trusted yes

I presume you mean /etc/ssh/sshd_config?

You may need to create a custom service on your SME to open port 8886, as described at http://wiki.contribs.org/Firewall#DB_Settings:
config set manta service access public status enabled TCPPort 8886

Or you may want to simply "open" port 8885 and forgo the port forwarding rule.

I've spent a couple wasted weekends trying to do something similar for reverse-VNC connections, but could never get it to work.

[Cylindric]

I presume you mean /etc/ssh/sshd_config?

Ah.  Oops. This might've just been it.  I put the GatewayPorts into sshd_config instead of ssh_config, rebooted, and it seems to just work \o/

Always the simple things.  Everything is now working as per the diagram \o/